improvements

[automated-distro-installer] / wrt-setup-local

#!/bin/bash
# Copyright (C) 2016 Ian Kelling

# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.


set -e; . /usr/local/lib/bash-bear; set +e


usage() {
  cat <<EOF
usage: ${0##*/} [-h] [-t 2|3|test|client] [-m WIRELESS_MAC] [hostname]
setup my router in general: dhcp, dns, etc.

Type 2 or 3 is for setting up a backup device, there are two kinds so
that you can switch the main device to a backup, then a backup to the
main. Type test is for setting up a testing device.

Passing an empty string for WIRELESS_MAC, or if none is defined in the
secrets file, will cause the device's native mac to be used.

EOF

  exit $1
}



zblock=false
if [[ -e /root/zblock ]]; then
  zblock=true
fi

dnsmasq_restart=false
unbound_restart=false
firewall_restart=false
dev2=false
test=false
client=false
ap=false
libremanage_host=wrt2
lanip=1
while getopts hm:t:yz opt; do
  case $opt in
    h) usage 0 ;;
    t)
      case $2 in
        2|3)
          dev2=true
          libremanage_host=$hostname
          ;;&
        2)
          lanip=4
          hostname=wrt2
          ;;
        3)
          lanip=14
          hostname=wrt3
          ;;
        test)
          test=true
          ;;
        client)
          client=true
          ;;
        ap)
          ap=true
          lanip=53
          hostname=cmcap
          ;;
        *) echo "$0: unexpected arg to -t: $*" >&2; usage 1 ;;
      esac
      ;;
    y)
      zblock=false
      rm -f /root/zblock
      ;;
    z)
      zblock=true
      touch /root/zblock
      ;;
    m)  mac=$OPTARG ;;
    *) echo "$0: Internal error! unexpected args: $*" >&2 ; usage 1 ;;
  esac
done
shift "$((OPTIND-1))"   # Discard the options and sentinel --

if [[ $1 ]]; then
  h=$1
elif [[ $hostname ]]; then
  h=$hostname
else
  h=cmc
fi

if [[ ! $hostname ]]; then
  hostname=$h
fi


secrets=false
if [[ -e /root/router-secrets ]]; then
  secrets=true
  # shellcheck source=/p/router-secrets
  source /root/router-secrets
fi

if [[ ! $mac ]] && ! $test && $secrets; then
  # if we wanted to increment it
  #mac=${mac:0: -1}$((${mac: -1} + 2))
  mac=${rwmac[$h]}
fi

if (( $# != 0 )); then
  usage 1
fi


macpre=${mac:0: -1}
macsuf=${mac: -1}


p_updated=false
pmirror() {
  if $p_updated; then
    return
  fi
  # background: upgrading all packages is not recommended because it
  # doesn't go into the firmware. build new firmware if you want
  # lots of upgrades. I think /tmp/opkg-lists is a pre openwrt 14 location.
  f=(/var/opkg-lists/*)
  if ! (( $(date -r ${f[0]} +%s) + 60*60*24 > $(date +%s) )); then
    if ! opkg update; then
      echo "$0: warning: opkg update failed" >&2
    fi
    p_updated=true
  fi
}

pi() {
  to_install=()
  for p in "$@"; do
    pname=${p##*/}
    pname=${pname%%_*}
    if [[ ! $(opkg list-installed "$pname") ]]; then
      to_install+=($p)
      pmirror
    fi
  done
  if (( ${#to_install[@]} >= 1 )); then
    opkg install ${to_install[@]}
  fi
}

v() {
  printf "+ %s\n" "$*"
  "$@"
}

######### uci example:#######
# # https://wiki.openwrt.org/doc/uci
# wan_index=$(uci show firewall | sed -rn 's/firewall\.@zone\[([0-9])+\]\.name=wan/\1/p')
# wan="firewall.@zone[$wan_index]"
# if [[ $(uci get firewall.@forwarding[0].dest) != $forward_dest ]]; then
#     # default is wan
#     v uci set firewall.@forwarding[0].dest=$forward_dest
#     uci commit firewall
#     firewall_restart=true
# fi
####### end uci example #####

uset() {
  printf "+ uset %s\n" "$*"
  local key="$1"
  local val="$2"
  local service="${key%%.*}"
  restart_var=${service}_restart
  if [[ ! ${!restart_var} ]]; then
    eval $restart_var=false
  fi
  if [[ $(uci get "$key") != "$val" ]]; then
    v uci set "$key"="$val"
    uci commit $service
    eval $restart_var=true
  fi
}

udel() {
  printf "+ udel %s\n" "$*"
  local key="$1"
  local val="$2"
  local service="${key%%.*}"
  restart_var=${service}_restart
  if [[ ! ${!restart_var} ]]; then
    eval $restart_var=false
  fi
  if uci get "$key" &>/dev/null; then
    v uci set "$key"="$val"
    uci commit $service
    eval $restart_var=true
  fi
}
cedit() {
  v command cedit -v "$@"
}


### network config
###
lan=10.0.0.0
if $test; then
  lan=10.1.0.0
elif [[ $hostname == cmc || $hostname == cmcap ]]; then
  lan=10.2.0.0
elif $client; then
  lan=10.3.0.0
fi

if $test; then
  ssid="gnuv3"
elif $secrets; then
  ssid=${rssid[$h]}
fi

: ${ssid:=librecmc}


if $secrets; then
  key=${rkey[$h]}
fi
: "${key:=pictionary49}"

mask=255.255.0.0
cidr=16
l=${lan%.0}

# why did we lock this? i don't know
#passwd -l root ||: #already locked fails

sed -ibak '/^root:/d' /etc/shadow
# /root/router created by manually running passwd then copying the resulting
# line. We have no mkpasswd on wrt/librecmc, then we scp it in.
cat /root/router >>/etc/shadow
# otherwise, serial console gets root login with no password
uset system.@system[0].ttylogin 1



cat >/usr/bin/archlike-pxe-mount <<'EOFOUTER'
#!/bin/bash
# symlinks are collapsed for nfs mount points, so use a bind mount.
# tried putting this in /etc/config/fstab,
# then doing block mount, it didn't work. This doesn't persist across reboots,
# todo: figure that out
rm -f /etc/fstab
for d in /run/{arch,parabola}iso/bootmnt; do
cat >>/etc/fstab <<EOF
/mnt/usb/tftpboot $d none bind 0 0
EOF
mount | grep $d &>/dev/null || mount $d
done
/etc/init.d/nfsd restart
EOFOUTER
chmod +x /usr/bin/archlike-pxe-mount

sed -i '/^root:/s,/bin/ash$,/bin/bash,' /etc/passwd



uset dropbear.@dropbear[0].PasswordAuth 0
uset dropbear.@dropbear[0].RootPasswordAuth 0
uset dropbear.@dropbear[0].Port 2220
if ! cmp -s /root/dropbear_rsa_host_key /etc/dropbear/dropbear_rsa_host_key; then
  cp /root/dropbear_rsa_host_key /etc/dropbear/dropbear_rsa_host_key
  dropbear_restart=true
fi

if $dropbear_restart; then
  v /etc/init.d/dropbear restart
fi


uset network.lan.ipaddr $l.$lanip
uset network.lan.netmask $mask
if $dev2  || $client || $ap; then
  if $dev2 || $ap; then
    uset network.lan.gateway $l.1
    uset network.wan.proto none
    uset network.wan6.proto none
  fi
  /etc/init.d/dnsmasq stop
  /etc/init.d/dnsmasq disable
  /etc/init.d/odhcpd stop
  /etc/init.d/odhcpd disable
  rm -f /etc/resolv.conf
  if $ap; then
    cat >/etc/resolv.conf <<EOF
nameserver $l.1
EOF
  else
    cat >/etc/resolv.conf <<'EOF'
nameserver 8.8.8.8
nameserver 8.8.4.4
EOF
  fi

  # things i tried to keep dnsmasq running but not enabled except local dns,
  # but it didnt work right and i dont need it anyways.
  # uset dhcp.wan.ignore $dev2 # default is false
  # uset dhcp.lan.ignore $dev2 # default is false
  # uset dhcp.@dnsmasq[0].interface lo
  # uset dhcp.@dnsmasq[0].localuse 0
  # uset dhcp.@dnsmasq[0].resolvfile /etc/dnsmasq.conf
  # uset dhcp.@dnsmasq[0].noresolv 1
  # todo: populate /etc/resolv.conf with a static value

else
  # these are the defaults

  # this is not needed unless switching from the above condition.
  # disabling just to debug
  #uset network.lan.gateway ''

  uset network.wan.proto dhcp
  uset network.wan6.proto dhcpv6
  /etc/init.d/dnsmasq start
  # todo: figure out why this returns 1
  /etc/init.d/dnsmasq enable ||:
  /etc/init.d/odhcpd start
  /etc/init.d/odhcpd enable
fi

wireless_restart=false

if $client; then
  uset wireless.default_radio0.network 'wwan'
  uset wireless.default_radio0.ssid ${rclientssid[$h]}
  uset wireless.default_radio0.encryption 'psk2'
  uset wireless.default_radio0.device 'radio0'
  uset wireless.default_radio0.mode 'sta'
  uset wireless.default_radio0.bssid ${rclientbssid[$h]}
  # todo: look into whether 5g network is available.
  uset wireless.default_radio0.key ${rclientkey[$h]}
  uset wireless.radio0.disabled false
  uset wireless.radio1.disabled true
else
  # defaults, just reseting in case client config ran
  uset wireless.default_radio0.network lan
  uset wireless.default_radio0.mode ap
  for x in 0 1; do
    uset wireless.default_radio$x.ssid "$ssid"
    uset wireless.default_radio$x.key $key
    uset wireless.default_radio$x.encryption psk2
    if [[ $mac ]]; then
      uset wireless.default_radio$x.macaddr $macpre$((macsuf + 2*x))
    fi
    # disable/enable. secondary device has wireless disabled
    uset wireless.radio$x.disabled $dev2
  done
fi

if grep '^OPENWRT_BOARD="mvebu/cortexa9"' /etc/os-release &>/dev/null; then
  # todo, I also enabled irqbalance, didnt script it though
  # https://forum.openwrt.org/t/wrt1900acs-wifi-issue-after-upgrade-from-19-07-to-21-02-vacuum-cleaner-legacy-rate-support/113311/28
  cat >/etc/rc.local <<'EOF'
echo "0" >> /sys/kernel/debug/ieee80211/phy0/mwlwifi/tx_amsdu
echo "0" >> /sys/kernel/debug/ieee80211/phy1/mwlwifi/tx_amsdu
exit 0
EOF
  chmod +x /etc/rc.local
  /etc/rc.local
  uset wireless.radio0.disassoc_low_ack 0
  uset wireless.radio1.disassoc_low_ack 0
fi


# found with https://openwrt.org/docs/guide-user/network/wifi/iwchan.
# However, the default also chooses 11, and better to let it choose in case things change.
# case $HOSTNAME in
#   cmc)
#     uset wireless.radio0.channel 11
#     ;;
# esac


# usb, screen, relay are for libremanage
# rsync is for brc
#
# relay package temporarily disabled
# /root/relay_1.0-1_mips_24kc.ipk
#
# note: prometheus-node-exporter-lua-openwrt seems to be a dependency of
# prometheus-node-exporter-lua in practice.

pkgs=(
  tcpdump
  screen
  rsync
  kmod-usb-storage
  block-mount
  kmod-fs-ext4
  prometheus-node-exporter-lua-openwrt
  prometheus-node-exporter-lua
)

if ! $ap; then
  pkgs+=(
    unbound-daemon
    unbound-checkconf
  )
fi

v pi "${pkgs[@]}"
# nfs-kernel-server \
  #   openvpn-openssl adblock libusb-compat \
  #   kmod-usb-serial-cp210x kmod-usb-serial-ftdi \


cat >/etc/libremanage.conf <<EOF
${libremanage_host}_type=switch
${libremanage_host}_channel=1
EOF



v /etc/init.d/fstab enable ||:

# rebooting makes mounting work, but comparing lsmod,
# i'm guessing this will too. todo, test it.
# 255 == module already loaded
for mod in scsi_mod sd_mod; do v modprobe $mod || [[ $? == 255 ]]; done

# for archlike pxe. The default settings in the installer expect to find
# the NFS at one of these dirs
mkdir -p /run/archiso/bootmnt
mkdir -p /run/parabolaiso/bootmnt

# todo: at some later time, i found /mnt/usb not mounted, watch to see if
# that is the case after running this or rebooting.
# wiki says safe to do in case of fstab changes:

## ian: usb broke on old router. if that happens, can just comment this to disable problems
# echo | cedit /etc/config/fstab ||:
cedit /etc/config/fstab <<EOF || { v block umount; v block mount; }
config global automount
      option from_fstab 1
      option anon_mount 1

config mount
# /overlay is an / overlay mount for installing extra packages, etc.
# https://openwrt.org/docs/guide-user/additional-software/extroot_configuration
      option target     /mnt/usb
#      option target    /overlay
      option device     /dev/sda1
      option fstype     ext4
      option options    rw,async,noatime,nodiratime
      option enabled    0
EOF


# ian: disabled because afaik I don't need it, no benefit.
# config global autoswap
#       option from_fstab 1
#       option anon_swap 1

# config swap
#       option device   /dev/sda1
#       option enabled  1




# exportfs -ra wont cut it when its the same path, but now a bind mount
# todo: restart nfs when nfs is enabled?
#cedit /etc/exports <<EOF || v /etc/init.d/nfsd restart ||:
cedit /etc/exports <<EOF ||:
/mnt/usb  $lan/$cidr(rw,no_root_squash,insecure,sync,no_subtree_check)
# for arch pxe
/run/archiso/bootmnt    $lan/$cidr(rw,no_root_squash,insecure,sync,no_subtree_check)
/run/parabolaiso/bootmnt        $lan/$cidr(rw,no_root_squash,insecure,sync,no_subtree_check)
EOF


# todo: enable nfs when we need it only.
# v /etc/init.d/portmap start
# v /etc/init.d/nfsd start
# v /etc/init.d/portmap enable
# v /etc/init.d/nfsd enable


cedit /etc/config/prometheus-node-exporter-lua <<'EOF' || /etc/init.d/prometheus-node-exporter-lua restart
config prometheus-node-exporter-lua 'main'
        option listen_ipv6 '0'
        option listen_interface 'lan'
        option listen_port '9100
EOF

# default, as of this writing is:
# config prometheus-node-exporter-lua 'main'
#       option listen_interface 'loopback'
#       option listen_port '9100'





########## openvpn exampl
########## missing firewall settings for routing lan
########## traffic
# v /etc/init.d/openvpn start
# v /etc/init.d/openvpn enable

# # from https://wiki.openwrt.org/doc/uci/firewall
# # todo: not sure if /etc/init.d/network needs restarting.
# # I did, and I had to restart the vpn afterwards.
# # This maps a uci interface to a real interface which is
# # managed outside of uci.
# cedit /etc/config/network <<'EOF' ||:
# config interface 'tun0'
#         option ifname 'tun0'
#         option proto 'none'
# EOF
# cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
# config openvpn my_client_config
#         option enabled 1
#         option config /etc/openvpn/client.conf
# EOF


wgport=26000

network_restart=false
if $client; then
  cedit wific /etc/config/network <<EOF || network_restart=true
# https://openwrt.org/docs/guide-user/network/wifi/connect_client_wifi
config interface 'wwan'
 option proto 'dhcp'
EOF
fi

cedit /etc/config/network <<EOF || network_restart=true
config 'route' 'transmission'
 option 'interface' 'lan'
 option 'target' '10.174.0.0'
 option 'netmask' '255.255.0.0'
 option 'gateway' '$l.2'

option interface 'wg0'
 option proto 'wireguard'
 option private_key '$(cat /root/wg.key)'
 option listen_port $wgport
 list addresses '10.3.0.1/24'
 list addresses 'fdfd::1/64'

# tp
config wireguard_wg0 'wgclient'
 option public_key '3q+WJGrm85r59NgeXOIvppxoW4ux/+koSw6Fee1c1TI='
 option preshared_key '$(cat /root/wg.psk)'
 list allowed_ips '10.3.0.2/24'
 list allowed_ips 'fdfd::2/64'
EOF

# Need to reload before we change dnsmasq to give out
# static ips in our new range.
if $network_restart; then
  v /etc/init.d/network reload
fi


### begin firewall edits ###
if $client; then
  cedit wific /etc/config/firewall <<EOF || firewall_restart=true
config zone
 option name    wwan
 option input    REJECT
 option output   ACCEPT
 option forward  REJECT
 option masq     1
 option mtu_fix  1
 option network  wwan
EOF
fi

case $hostname in
  wrt)
    cedit host /etc/config/firewall <<EOF || firewall_restart=true
config redirect
 option name ssh
 option src              wan
 option src_dport        22
 option dest_ip          $l.3
 option dest             lan
EOF
    ;;
  cmc)
    cedit host /etc/config/firewall <<EOF || firewall_restart=true
config redirect
 option name ssh
 option src              wan
 option src_dport        22
 option dest_ip          $l.2
 option dest             lan
EOF
    ;;
esac

{
  . /root/cmc-firewall-data
  cat <<EOF
## begin no external dns for ziva
config rule
 option src  lan
 option src_ip   10.2.0.23
 option dest_port 53
 option dest  wan
 option target REJECT


config rule
 option src wan
 option dest_ip   10.2.0.23
 option src_port 53
 option dest  lan
 option target REJECT


config rule
 option src  lan
 option src_ip   10.2.0.31
 option dest_port 53
 option dest  wan
 option target REJECT


config rule
 option src wan
 option dest_ip   10.2.0.31
 option src_port 53
 option dest  lan
 option target REJECT


config rule
 option src  lan
 option src_ip   10.2.0.32
 option dest_port 53
 option dest  wan
 option target REJECT


config rule
 option src wan
 option dest_ip   10.2.0.32
 option src_port 53
 option dest  lan
 option target REJECT
## end no external dns for ziva


config rule
 option src              wan
 option target           ACCEPT
 option dest_port        22

config redirect
 option name promkd
 option src              wan
 option src_dport        9091
 option dest_port        9091
 option dest_ip          $l.2
 option dest             lan
config rule
 option src              wan
 option target           ACCEPT
 option dest_port        9091

# was working on an openvpn server, didn't finish
# config redirect
#  option name vpnkd
#  option src              wan
#  option src_dport        1196
#  option dest_port        1196
#  option dest_ip          $l.2
#  option dest             lan
# config rule
#  option src              wan
#  option target           ACCEPT
#  option dest_port        1196


config redirect
 option name sshkdalt
 option src              wan
 option src_dport        8989
 option dest_port        8989
 option dest_ip          $l.2
 option dest             lan
config rule
 option src              wan
 option target           ACCEPT
 option dest_port        8989



config redirect
 option name icecast
 option src              wan
 option src_dport        8000
 option dest_port        8000
 option dest_ip          $l.2
 option dest             lan
config rule
 option src              wan
 option target           ACCEPT
 option dest_port        8000

config rule
 option name sshcmc
 option src              wan
 option target           ACCEPT
 option dest_port        2220

config rule
 option name wg
 option src              wan
 option target           ACCEPT
 option dest_port        $wgport
 option proto            udp

config redirect
 option name navidromehttps
 option src              wan
 option src_dport        4500
 option dest_port        4500
 option dest_ip          $l.2
 option dest             lan
config rule
 option src              wan
 option target           ACCEPT
 option dest_port        4500

config redirect
 option name navidrome
 option src              wan
 option src_dport        4533
 option dest_port        4533
 option dest_ip          $l.2
 option dest             lan
config rule
 option src              wan
 option target           ACCEPT
 option dest_port        4533

# So a client can just have b8.nz dns even when they
# are on the lan.
#config redirect
# option name navidromelan
# option src              lan
# option src_dport        4533
# option dest_port        4533
# option dest_ip          $l.2
# option dest             lan


# config redirect
#  option name icecast
#  option src              wan
#  option src_dport        8000
#  option dest_port        8000
#  option dest_ip          $l.2
#  option dest             lan
# config rule
#  option src              wan
#  option target           ACCEPT
#  option dest_port        8000

config redirect
 option name http
 option src              wan
 option src_dport        80
 option dest             lan
 option dest_ip          $l.9
 option proto            tcp
config rule
 option src              wan
 option target           ACCEPT
 option dest_port        80
 option proto            tcp

config redirect
 option name https
 option src              wan
 option src_dport        443
 option dest             lan
 option dest_ip          $l.9
 option proto            tcp
config rule
 option src              wan
 option target           ACCEPT
 option dest_port        443
 option proto            tcp

# config redirect
# option name httpskd8448
#  option src              wan
#  option src_dport        8448
#  option dest             lan
#  option dest_ip          $l.2
#  option proto            tcp
# config rule
#  option src              wan
#  option target           ACCEPT
#  option dest_port        8448
#  option proto            tcp

config redirect
 option name syncthing
 option src              wan
 option src_dport        22001
 option dest_ip          $l.8
 option dest             lan
config rule
 option src              wan
 option target           ACCEPT
 option dest_port        22001


#config redirect
# option name i2p
# option src              wan
# option src_dport        $i2pport
# option dest_ip          $l.178
# option dest             lan
#config rule
# option src              wan
# option target           ACCEPT
# option dest_port        $i2pport

config rule
 option name ssh-ipv6
 option src wan
 option dest lan
 # note, using mac transform, we could allow all traffic to a host like this,
 # replacing 1 as appropriate
 #option dest_ip ::111:11ff:fe11:1111/::ffff:ffff:ffff:ffff
 option dest_port 22
 option target ACCEPT
 option family ipv6

# config rule
#  option name http-ipv6
#  option src wan
#  option dest lan
#  option dest_port 80
#  option target ACCEPT
#  option family ipv6

# config rule
#  option name https-ipv6
#  option src wan
#  option dest lan
#  option dest_port 443
#  option target ACCEPT
#  option family ipv6

config rule
 option name node-exporter
 option src wan
 option dest lan
 option dest_port 9101
 option target ACCEPT
 option family ipv6

config rule
 option name mail587-ipv6
 option src wan
 option dest lan
 option dest_port 587
 option target ACCEPT
 option family ipv6

EOF
} | cedit /etc/config/firewall || firewall_restart=true
### end firewall edits ###


# firewall comment:
# not using and in newer wrt, fails, probably due to nonexistent file, error output
# on:

# Reference error: left-hand side expression is not an array or object
# In [anonymous function](), file /usr/share/ucode/fw4.uc, line 3137, byte 12:
#   called from function [arrow function] (/usr/share/ucode/fw4.uc:733:71)
#   called from function foreach ([C])
#   called from function [anonymous function] (/usr/share/ucode/fw4.uc:733:72)
#   called from function render_ruleset (/usr/share/firewall4/main.uc:56:24)
#   called from anonymous function (/usr/share/firewall4/main.uc:143:29)
#
#  `        if (!inc.enabled) {`
#   Near here -------^
#
#
# The rendered ruleset contains errors, not doing firewall restart.
# /usr/bin/wrt-setup-local:160:error: ""$@"" returned 1

## include a file with users custom iptables rules
#config include
#       option path /etc/firewall.user
#       option type 'restore'
#       option family 'ipv4'



# not using wireguard for now
# if ! uci get firewall.@zone[1].network | grep wg0 &>/dev/null; then
#   # cant mix cedit plus uci
#   echo | cedit /etc/config/firewall ||:
#   uci add_list firewall.@zone[1].network=wg0
#   uci commit firewall
#   firewall-cedit ||:
#   firewall_restart=true
# fi



cedit /etc/hosts <<EOF ||:
127.0.1.1 $hostname
EOF


#mail_host=$(grep -F mail.iankelling.org /etc/hosts | awk '{print $1}')
# if [[ $mail_host ]]; then
#     sed -i '/^$mail_host/a mail.iankelling.org' /etc/hosts
# fi


uset dhcp.@dnsmasq[0].domain b8.nz
uset system.@system[0].hostname $hostname
uset dhcp.@dnsmasq[0].local

# uci doesnt seem to have a way to set an empty value,
# if you delete it, it goes back to the default. this seems
# to be a decent workaround.
# todo: setup /etc/resolv.conf to point to 127.0.0.1
# later note: disabled, I dunno why I set this.
# uset dhcp.@dnsmasq[0].resolvfile /dev/null

# if dnsmasq happens to not send out a dns server,
# odhcpd will send one out like this:
# NetworkManager[953]: <info>  [1614982580.5192] dhcp6 (wlan0): option dhcp6_name_servers   => 'fd58:5801:8e02::1'
# but i dont want ipv6 dns, just keep it simple to ipv4.
# I know my isp doesnt have ipv6 right now,
# so just stop this thing.
# note: tried this, it didn't do anything:
# uset dhcp.@odhcpd[0].dns 10.2.0.1

# iank, disablde while debugging.
#/etc/init.d/odhcpd stop
#/etc/init.d/odhcpd disable

# todo: make the above conditional on which server this is.

## left commented in case we have ipv6 problems in the future
# avoid errors in log. current isp doesnt have ipv6
#uset unbound.@unbound[0].protocol ip4_only

# todo: im not sure all these are needed, but they all look
# like good options.
# https://blog.cloudflare.com/dns-over-tls-for-openwrt/
# https://gist.github.com/vqiu/7b32d3a19a7a09d32e108d998de166c2
#https://blog.thestateofme.com/2018/04/04/howto-secure-your-dns-with-a-raspberry-pi-unbound-and-cloudflare-1-1-1-1/
#
# # i found that the zone example was having no effect on the config
# # here:
# https://github.com/openwrt/packages/blob/openwrt-19.07/net/unbound/files/README.md
#
# # todo: unbound-control, i'm not sure what the purpose of that thing is, some
# # kind of coordination with dhcp of dnsmasq, but what?
#
# note: for debugging, edit /etc/init.d/unbound, change
# procd_set_param command $PROG -d -c $UB_TOTAL_CONF
# to:
# procd_set_param command $PROG -vvv -d -c $UB_TOTAL_CONF

if ! $ap; then
  {
    cat <<'EOF'
do-tcp: yes
prefetch: yes
qname-minimisation: yes
rrset-roundrobin: yes
use-caps-for-id: yes
do-ip6: no
private-domain: b8.nz
local-zone: "10.in-addr.arpa." transparent
access-control-view: 10.2.0.31/32 "youtube"
EOF

    if $zblock; then
      cat <<'EOF'
# no sy until that dongle is used by ziva

# syw
#access-control-view: 10.2.0.7/32 "youtube"
# bow
access-control-view: 10.2.0.29/32 "youtube"
# samsungtab
access-control-view: 10.2.0.32/32 "youtube"
EOF
    fi
  } | cedit /etc/unbound/unbound_srv.conf  || unbound_restart=true


  # dns based blocking vs ip based. with ip, same
  # server can have multiple domains. in dns,
  # you have to make sure clients to use the local dns.
  # https dns will need to be blocked by ip in
  # order to be comprehensive



  {
    . /root/ptr-data
    cat  <<EOF

local-data-ptr: "10.2.0.1 cmc.b8.nz"

local-data-ptr: "10.174.2.2 transmission.b8.nz"
local-data-ptr: "10.173.8.1 defaultnn.b8.nz"
local-data-ptr: "10.173.8.2 nn.b8.nz"

forward-zone:
  name: "."
#  forward-addr: 8.8.8.8
#  forward-addr: 8.8.8.8

# ssl disabled due to this error:
#Sat Dec 24 03:34:44 2022 daemon.err unbound: [6568:0] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
#Sat Dec 24 03:34:44 2022 daemon.notice unbound: [6568:0] notice: ssl handshake failed 1.0.0.3 port 853
# on OPENWRT_RELEASE="OpenWrt SNAPSHOT r18639-f5865452ac"
# from about feb 2022

# https://developers.cloudflare.com/1.1.1.1/1.1.1.1-for-families/setup-instructions/dns-over-https
#  forward-addr: 1.1.1.3@853#family.cloudflare-dns.com
#  forward-addr: 1.0.0.3@853#family.cloudflare-dns.com
#  forward-ssl-upstream: yes
  forward-first: no
  forward-addr: 1.1.1.3
  forward-addr: 1.0.0.3

view:
  name: "youtube"
  local-zone: "googlevideo.com." refuse
  local-zone: "video.google.com." refuse
  local-zone: "youtu.be." refuse
  local-zone: "youtube-nocookie.com." refuse
  local-zone: "youtube-ui.l.google.com." refuse
  local-zone: "youtube.com." refuse
  local-zone: "youtube.googleapis.com." refuse
  local-zone: "youtubeeducation.com." refuse
  local-zone: "youtubei.googleapis.com." refuse
  local-zone: "yt3.ggpht.com." refuse
  local-zone: "youtubekids.com." refuse
  # try global if no match in view
  view-first: yes
EOF
  } | cedit /etc/unbound/unbound_ext.conf || unbound_restart=true


  if $unbound_restart; then
    /etc/init.d/unbound restart
    if ! unbound-checkconf; then
      echo $0: error: unbound-checkconf failed >&2
      exit 1
    fi
  fi
fi # end if $ap

# # disabled for now. i want to selectively enable it
# # for specific hosts.
# if [[ $(uci get adblock.global.adb_enabled) != 0 ]]; then
#   v uci set adblock.global.adb_enabled=0
#   uci commit adblock
#   /etc/init.d/adblock restart
# fi
# # https://github.com/openwrt/packages/tree/master/net/adblock/files
# cat >/etc/crontabs/root <<'EOF'
# 0 06 * * *    /etc/init.d/adblock reload
# EOF


# useful: http://wiki.openwrt.org/doc/howto/dhcp.dnsmasq

# sometimes /mnt/usb fails, cuz it's just a flash drive,
# so make sure we have this dir or else dnsmasq will fail
# to start.
mkdir -p /mnt/usb/tftpboot

{
  # generated with host-info-update
  . /root/dnsmasq-data
  cat <<EOF
# no dns
port=0
server=/b8.nz/#
ptr-record=1.0.2.10.in-addr.arpa.,cmc.b8.nz


# https://ret2got.wordpress.com/2018/01/19/how-your-ethereum-can-be-stolen-using-dns-rebinding/
stop-dns-rebind
rebind-domain-ok=b8.nz

# This says the ip of dns server.
# It is default if dnsmasq is doing dns, otherwise, we have to specify it.
# To see it in action, I ran this from a client machine:
# sudo dhcpcd -o domain_name_servers -T
dhcp-option=option:dns-server,$l.1

# use this when doing fai to get the right timezone, its nfsroot is
# setup to use this dhcp option only and call ntpdate.
# generate ips with:
# for h in 0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org ntp.ubuntu.com; do host -t a $h | awk '{print $NF}'; done | while read -r l; do printf ,$l; done
dhcp-option=option:ntp-server,188.165.3.28,202.12.97.45,91.236.251.13,50.205.244.23,78.30.254.80,31.131.0.123,202.65.114.202,94.228.220.14,185.125.190.57,185.125.190.58,91.189.91.157,185.125.190.56,91.189.94.4


# results from googling around dnsmasq optimizations
# about 50k in memory. router has 62 megs.
# in a browsing session, I probably won't ever do 5000 lookups
# before the ttl expiration or whatever does expiration.
cache-size=10000

# ask all servers, use the one which responds first.
# http://ma.ttwagner.com/make-dns-fly-with-dnsmasq-all-servers/
all-servers

# namebench benchmarks dns servers. google's dns was only
# slightly less fast than some others, and I trust it more
# to give accurate results, stay relatively fast, and
# not do anythin too malicious, so just use that.
# download namebench and run it like this:
# for x in all regional isp global preferred nearby; do ./namebench.py -s \$x -c US -i firefox -m weighted -J 10 -w; echo \$x; hr;  done
# google
server=1.1.1.3
server=1.0.0.3
server=2606:4700:4700::1113
server=2606:4700:4700::1003

server=10.2.0.1
# server=8.8.4.4
# server=8.8.8.8
# server=2001:4860:4860::8888
# server=2001:4860:4860::8844


# to fixup existin ips, on the client you can do
# sudo dhclient -r; sudo dhclient <interface-name>
# or on cmc,
# /etc/init.d/dnsmasq stop
# vi /tmp/dhcp.leases
# /etc/init.d/dnsmasq start


# default dhcp range is 100-150

# template
# dhcp-host=,$l.,

# pxe tftpboot for arch-like. todo: openwrt snapshot from 2022-01, it cant
# access /mnt/usb/tftpboot due to ujail sandbox
#enable-tftp=br-lan
#tftp-root=/mnt/usb/tftpboot
#tftp-root=/var/run/dnsmasq/tftpboot


dhcp-optsfile=/var/run/dnsmasq/dhcpopts.conf

# for debugging dhcp
#log-queries=extra
EOF
} | cedit /etc/dnsmasq.conf || dnsmasq_restart=true



if $dnsmasq_restart && ! $dev2 && ! $ap; then
  # todo: can our ptr records be put in /etc/hosts?
  # eg: user normal /etc/hosts records, and they wont be used for A resolution
  # due to the other settings, but will be used for ptr? then maybe
  # we dont have to restart dnsmasq for a dns update?
  #
  # interesing link:
  # https://www.redpill-linpro.com/techblog/2019/08/27/evaluating-local-dnssec-validators.html#toggling-dnssec-validation-1
  # we could turn on dnssec validation when wrt gets dnsmasq > 2.80. currently at 2.80.
  # also we can turn off dnssec in systemd-resolved if we know the router is doing it.
  #
  # Also, reload of dnsmasq seems to break things, wifi
  # clients were not getting internet connectivity.

  v /etc/init.d/dnsmasq restart
fi

if $ap; then
  v /etc/init.d/firewall disable
  v /etc/init.d/firewall stop
elif $firewall_restart; then
  v /etc/init.d/firewall restart
fi

## turn off luci
# if already stopped, gives error we want to ignore
/etc/init.d/uhttpd stop |& sed '1{/^Command failed/d}'
/etc/init.d/uhttpd disable |& sed '1{/^Command failed/d}'

# this may just restart the network and take care of the network_restart below.
if $wireless_restart; then
  v wifi
fi

# todo: we should catch errors and still run this if needed
if $network_restart; then
  reboot
fi

v exit 0